[glib/wip/tingping/pkcs11] gtlscertificate: Add pkcs11 URI properties and constructor
- From: Patrick Griffis <pgriffis src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [glib/wip/tingping/pkcs11] gtlscertificate: Add pkcs11 URI properties and constructor
- Date: Wed, 26 Jun 2019 18:45:55 +0000 (UTC)
commit 451ead0479aefe2f33b3c5ad1d31c1dea5f47db2
Author: Patrick Griffis <pgriffis igalia com>
Date: Wed Jun 19 09:10:52 2019 -0700
gtlscertificate: Add pkcs11 URI properties and constructor
docs/reference/gio/gio-sections.txt | 1 +
gio/gtlscertificate.c | 112 +++++++++++++++++++++++++++++++++++-
gio/gtlscertificate.h | 5 ++
gio/tests/gtesttlsbackend.c | 12 +++-
gio/tests/tls-certificate.c | 16 ++++++
5 files changed, 142 insertions(+), 4 deletions(-)
---
diff --git a/docs/reference/gio/gio-sections.txt b/docs/reference/gio/gio-sections.txt
index 6aa07b462..61c3e0b76 100644
--- a/docs/reference/gio/gio-sections.txt
+++ b/docs/reference/gio/gio-sections.txt
@@ -3731,6 +3731,7 @@ GTlsCertificate
g_tls_certificate_new_from_pem
g_tls_certificate_new_from_file
g_tls_certificate_new_from_files
+g_tls_certificate_new_from_pkcs11_uris
g_tls_certificate_list_new_from_file
g_tls_certificate_get_issuer
g_tls_certificate_verify
diff --git a/gio/gtlscertificate.c b/gio/gtlscertificate.c
index 72de5eb1f..827c2b21a 100644
--- a/gio/gtlscertificate.c
+++ b/gio/gtlscertificate.c
@@ -60,7 +60,9 @@ enum
PROP_CERTIFICATE_PEM,
PROP_PRIVATE_KEY,
PROP_PRIVATE_KEY_PEM,
- PROP_ISSUER
+ PROP_ISSUER,
+ PROP_PKCS11_CERTIFICATE_URI,
+ PROP_PKCS11_PRIVATE_KEY_URI,
};
static void
@@ -74,7 +76,16 @@ g_tls_certificate_get_property (GObject *object,
GValue *value,
GParamSpec *pspec)
{
- G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
+ switch (prop_id)
+ {
+ case PROP_PKCS11_CERTIFICATE_URI:
+ case PROP_PKCS11_PRIVATE_KEY_URI:
+ /* Subclasses must override this property but this allows older backends to not fatally error */
+ g_value_set_static_string (value, NULL);
+ break;
+ default:
+ G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
+ }
}
static void
@@ -83,7 +94,14 @@ g_tls_certificate_set_property (GObject *object,
const GValue *value,
GParamSpec *pspec)
{
- G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
+ switch (prop_id)
+ {
+ case PROP_PKCS11_CERTIFICATE_URI:
+ case PROP_PKCS11_PRIVATE_KEY_URI:
+ break;
+ default:
+ G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
+ }
}
static void
@@ -193,6 +211,43 @@ g_tls_certificate_class_init (GTlsCertificateClass *class)
G_PARAM_READWRITE |
G_PARAM_CONSTRUCT_ONLY |
G_PARAM_STATIC_STRINGS));
+
+ /**
+ * GTlsCertificate:pkcs11-certificate-uri:
+ *
+ * A URI referencing the PKCS \#11 object containing a X.509 certificate.
+ *
+ * If %NULL the certificate is either not backed by PKCS \#11 or the
+ * #GTlsBackend does not support PKCS \#11.
+ *
+ * Since: 2.62
+ */
+ g_object_class_install_property (gobject_class, PROP_PKCS11_CERTIFICATE_URI,
+ g_param_spec_string ("pkcs11-certificate-uri",
+ P_("PKCS #11 certificate URI"),
+ P_("The PKCS #11 URI for the certificate"),
+ NULL,
+ G_PARAM_READWRITE |
+ G_PARAM_CONSTRUCT_ONLY |
+ G_PARAM_STATIC_STRINGS));
+
+
+ /**
+ * GTlsCertificate:pkcs11-private-key-uri:
+ *
+ * A URI referencing the PKCS \#11 object containing a private key.
+ *
+ * Since: 2.62
+ */
+ g_object_class_install_property (gobject_class, PROP_PKCS11_PRIVATE_KEY_URI,
+ g_param_spec_string ("pkcs11-private-key-uri",
+ P_("PKCS #11 private key URI"),
+ P_("The PKCS #11 URI for the private key"),
+ NULL,
+ G_PARAM_READWRITE |
+ G_PARAM_CONSTRUCT_ONLY |
+ G_PARAM_STATIC_STRINGS));
+
}
static GTlsCertificate *
@@ -591,6 +646,57 @@ g_tls_certificate_new_from_files (const gchar *cert_file,
return cert;
}
+/**
+ * g_tls_certificate_new_from_pkcs11_uris:
+ * @certificate_uri: A PKCS \#11 URI for the X.509 certificate
+ * @private_key_uri: (nullable): A PKCS \#11 URI for a private key
+ * @error: #GError for error reporting, or %NULL to ignore.
+ *
+ * Creates a #GTlsCertificate from PKCS \#11 URIs. @certificate_uri
+ * must not be pin protected. This function does not ensure
+ * @private_key_uri points to a valid object and may fail or
+ * require a PIN at later usage.
+ *
+ * Returns: the new certificate, or %NULL on error
+ *
+ * Since: 2.62
+ */
+GTlsCertificate *
+g_tls_certificate_new_from_pkcs11_uris (const gchar *certificate_uri,
+ const gchar *private_key_uri,
+ GError **error)
+{
+ GObject *cert;
+ GTlsBackend *backend;
+
+ g_return_val_if_fail (certificate_uri, NULL);
+
+ backend = g_tls_backend_get_default ();
+
+ cert = g_initable_new (g_tls_backend_get_certificate_type (backend),
+ NULL, error,
+ "pkcs11-certificate-uri", certificate_uri,
+ "pkcs11-private-key-uri", private_key_uri,
+ NULL);
+
+ if (cert != NULL)
+ {
+ gchar *objects_uri;
+
+ /* Old implementations might not override this property */
+ g_object_get (cert, "pkcs11-certificate-uri", &objects_uri, NULL);
+ if (objects_uri == NULL)
+ {
+ g_set_error_literal (error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED, "This GTlsBackend does not
support creating PKCS #11 certificates");
+ g_object_unref (cert);
+ return NULL;
+ }
+ g_free (objects_uri);
+ }
+
+ return G_TLS_CERTIFICATE (cert);
+}
+
/**
* g_tls_certificate_list_new_from_file:
* @file: (type filename): file containing PEM-encoded certificates to import
diff --git a/gio/gtlscertificate.h b/gio/gtlscertificate.h
index a064543c4..d572828d0 100644
--- a/gio/gtlscertificate.h
+++ b/gio/gtlscertificate.h
@@ -71,6 +71,11 @@ GLIB_AVAILABLE_IN_ALL
GTlsCertificate *g_tls_certificate_new_from_files (const gchar *cert_file,
const gchar *key_file,
GError **error);
+GLIB_AVAILABLE_IN_2_62
+GTlsCertificate *g_tls_certificate_new_from_pkcs11_uris (const gchar *certificate_uri,
+ const gchar *private_key_uri,
+ GError **error);
+
GLIB_AVAILABLE_IN_ALL
GList *g_tls_certificate_list_new_from_file (const gchar *file,
GError **error);
diff --git a/gio/tests/gtesttlsbackend.c b/gio/tests/gtesttlsbackend.c
index 157a4a3f3..b223dbf9c 100644
--- a/gio/tests/gtesttlsbackend.c
+++ b/gio/tests/gtesttlsbackend.c
@@ -91,6 +91,7 @@ struct _GTestTlsCertificate {
gchar *key_pem;
gchar *cert_pem;
GTlsCertificate *issuer;
+ gchar *pkcs11_certificate_uri;
};
struct _GTestTlsCertificateClass {
@@ -103,7 +104,8 @@ enum
PROP_CERT_CERTIFICATE_PEM,
PROP_CERT_PRIVATE_KEY,
PROP_CERT_PRIVATE_KEY_PEM,
- PROP_CERT_ISSUER
+ PROP_CERT_ISSUER,
+ PROP_CERT_PKCS11_CERTIFICATE_URI,
};
static void g_test_tls_certificate_initable_iface_init (GInitableIface *iface);
@@ -141,6 +143,9 @@ g_test_tls_certificate_get_property (GObject *object,
case PROP_CERT_ISSUER:
g_value_set_object (value, cert->issuer);
break;
+ case PROP_CERT_PKCS11_CERTIFICATE_URI:
+ g_value_set_string (value, cert->pkcs11_certificate_uri);
+ break;
default:
g_assert_not_reached ();
break;
@@ -166,6 +171,9 @@ g_test_tls_certificate_set_property (GObject *object,
case PROP_CERT_ISSUER:
cert->issuer = g_value_dup_object (value);
break;
+ case PROP_CERT_PKCS11_CERTIFICATE_URI:
+ cert->pkcs11_certificate_uri = g_value_dup_string (value);
+ break;
case PROP_CERT_CERTIFICATE:
case PROP_CERT_PRIVATE_KEY:
/* ignore */
@@ -183,6 +191,7 @@ g_test_tls_certificate_finalize (GObject *object)
g_free (cert->cert_pem);
g_free (cert->key_pem);
+ g_free (cert->pkcs11_certificate_uri);
g_clear_object (&cert->issuer);
G_OBJECT_CLASS (g_test_tls_certificate_parent_class)->finalize (object);
@@ -205,6 +214,7 @@ g_test_tls_certificate_class_init (GTestTlsCertificateClass *test_class)
g_object_class_override_property (gobject_class, PROP_CERT_PRIVATE_KEY, "private-key");
g_object_class_override_property (gobject_class, PROP_CERT_PRIVATE_KEY_PEM, "private-key-pem");
g_object_class_override_property (gobject_class, PROP_CERT_ISSUER, "issuer");
+ g_object_class_override_property (gobject_class, PROP_CERT_PKCS11_CERTIFICATE_URI,
"pkcs11-certificate-uri");
}
static void
diff --git a/gio/tests/tls-certificate.c b/gio/tests/tls-certificate.c
index e1ba23737..f8bf02483 100644
--- a/gio/tests/tls-certificate.c
+++ b/gio/tests/tls-certificate.c
@@ -398,6 +398,19 @@ list_from_file (const Reference *ref)
g_assert_cmpint (g_list_length (list), ==, 0);
}
+static void
+from_pkcs11_uri (void)
+{
+ GError *error = NULL;
+ GTlsCertificate *cert;
+
+ cert = g_tls_certificate_new_from_pkcs11_uris
("pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=ca-bundle.crt", NULL, &error);
+ g_assert_no_error (error);
+ g_assert_nonnull (cert);
+
+ g_object_unref (cert);
+}
+
int
main (int argc,
char *argv[])
@@ -464,6 +477,9 @@ main (int argc,
&ref, (GTestDataFunc)from_files_pkcs8enc);
g_test_add_data_func ("/tls-certificate/list_from_file",
&ref, (GTestDataFunc)list_from_file);
+ g_test_add_func ("/tls-certificate/pkcs11-uri",
+ from_pkcs11_uri);
+
rtv = g_test_run();
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]